What is CORS?

By Mark Boreland ·

In short

  • CORS, or cross-origin resource sharing, is the browser rule that decides when code on one domain may fetch data from another.
  • When it blocks a request you see a console error and the data never loads.
  • It mostly bites when a hosted app calls an external API that has not allowed your origin.

CORS is a safety rule built into every browser. By default, JavaScript running on one domain cannot read a response from a different domain unless that other server explicitly allows it with the right header. The rule exists so a random page cannot quietly read your email or your bank account in another tab. The side effect is that a perfectly innocent app can hit a wall when it tries to fetch data from an API that has not opted in.

This is the error people meet most often after they publish a Vite or CRA build or paste in something an AI tool built. The page loads, but a fetch to an external service fails with a cross-origin message in the console. The fix is on the API side. The service has to send a header naming your origin as allowed. NudgeHost serves your files with sensible headers so the files themselves load cleanly, but it cannot grant permission on an API it does not control.

For a page you publish what ChatGPT built that only uses CDN scripts and inline code, CORS never comes up, because nothing is making a cross-origin data request. It surfaces only when your code talks to a separate backend. Hosting is free to start and upgrade to Pro covers higher limits. The practical rule is simple. If a hosted app cannot reach an API, check whether that API allows your origin before assuming the host is at fault.

Related terms

Frequently asked questions

Related tools

Other things you can do on NudgeHost.

Put it into practice.

Drop a file and get a shareable link in seconds. Free, no card needed.

Share a file now